On Wed, Mar 27, 2002 at 12:37:59AM +0100, martin f krafft wrote: > also sprach Joe Dollard <[EMAIL PROTECTED]> [2002.03.25.2114 +0100]:
Hi, > > The version of proftp that is in debian potato (1.2.0pre10 as > > reported by running 'proftpd -v ') is vulnerable to a glob DoS > > attack, as discovered on the 15th March 2001. You can verify this > > bug by logging in to a server running debian stable's proftpd and > > type "ls > > */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*". > > This results with 100% of the CPU and memory resources being > > consumed (more info at http://proftpd.linux.co.uk/critbugs.html), > > (please fix your line wraps!) > > security.debian.org has proftpd_1.2.0pre10-2.0potato1 which does not > contain this bug, at least not on i386 systems: > > fishbowl:~> ncftp lapse.home.madduck.net > NcFTP 3.1.2 (Jan 28, 2002) by Mike Gleason ([EMAIL PROTECTED]). > Connecting to 192.168.14.3 > ProFTPD 1.2.0pre10 Server (Debian) [lapse.home.madduck.net] > Logging in... > > Anonymous access granted, restrictions apply. > Logged in to localhost. > ncftp / > ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* > <and on for another screen full> > > fishbowl:~> ssh lapse 'cat /etc/debian_version; uname -a' > 2.2r5 > Linux lapse 2.2.20 #1 Tue Feb 12 14:22:30 CET 2002 i486 If my understanding of this bug is right the new bug with the old problem is in mod_sql. So if you don't use it you should not be vulnerable cause no input data is passed through it. Another thing, the vulnerable mod_sql release was not shipped with the proftpd stable release. Sven -- Lamer! :)\nLokaler Admin mit enormen Rechten[tm] [Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf] http://www.linux-secure.de http://www.linuxboard.de http://www.bluephod.net http://www.disconow.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
